What this is • Pillar map • Why AI-ASM • Related repos
This repository is a reference document. It maps the 11 pillars of AI Attack Surface Management to the NuClide tools that cover them, and it tracks the shipment state of each. The tools listed here live in their own repositories. No code lives here.
CSPM and generic EASM cannot see the shadow ML perimeter: unauthenticated Ollama runtimes on developer laptops, public Qdrant clusters holding training data, Langfuse dashboards leaking conversation logs, Flowise instances claimable through an open install wizard. AI-ASM is the program that does see it, from the outside, the way an attacker sees it.
A program-level map. The canonical toolchain lives across the individual NuClide repos. This repo holds the index.
If you want to:
- run a scan, use aimap or tiptoe
- harvest targets, use scanner after a Shodan or Censys pull
- read the survey corpus, see AI-LLM-Infrastructure-OSINT
- understand a pillar's coverage, read the table below
| ASM pillar | NuClide tool(s) | State |
|---|---|---|
| Discover assets | JAXEN, VisorSD, VisorGoose, menlohunt, recongraph, VisorGraph | shipped |
| Active banner | scanner, tiptoe | shipped |
| Fingerprint and identify | aimap | shipped, core engine |
| Enumerate exposure | aimap, nu-recon | shipped |
| Attribute ownership | VisorGraph cert-pivot, aimap-profile, TLS-CN sweep | shipped |
| Score and prioritize | VisorScuba, BARE, cortex | shipped |
| Ledger and state of record | VisorLog (nuclide.db) | shipped |
| Report and visualize | visor-report, VisorLog dashboard | shipped |
| Orchestrate | VisorPlus, visor-chain-runner.sh | shipped |
| Continuous sensor | VisorRoam, ghost_ping | implementation in progress |
| Agentic validation | VisorAgent, VisorRAG | shipped, scope-gated |
| Adversarial corpus | VisorCorpus | shipped |
Generic EASM scanners stop at the open port. They report port 11434 open, HTTP. AI-ASM reads the service behind it.
The same port surface holds:
- Ollama runtimes with model libraries the operator does not know are public
- vLLM and TGI gateways that pass through any prompt
- Open WebUI panels with the registration form left open
- LiteLLM proxies billing somebody else's OpenAI key
- Flowise instances one POST away from credential disclosure
- ChromaDB, Qdrant, and Weaviate clusters holding production embeddings
Each platform has its own data shape. Each one needs its own deep enumerator. The NuClide arsenal ships 120-plus dedicated fingerprints across 27 service categories because that is what the surface actually requires.
The corollary: the auth-permissive cohort default (Insight #76, derived from population-scale surveys across 33 platform categories) is platform-cohort dependent, not operator-dependent. Operators inherit shipping defaults. The map below names the cohorts, the surveys quantify them, and the toolchain reads them at population scale.
- AI-LLM-Infrastructure-OSINT - the survey corpus, 33 platform categories, 376 case studies, 88 methodology insights
- aimap - fingerprint plus deep-enum scanner, the core engine
- scanner - active-banner stage between passive discovery and deep enumeration
- VisorLog - findings ledger and ingest pipeline
- VisorGraph - cert-pivot for operator attribution
- BARE - semantic exploit-module ranking over scanner findings
- tiptoe - quiet, congestion-controlled assessment for sensitive targets
MIT. Part of the NuClide toolchain. Contact: nuclide-research.com